Examples of org.apache.ws.security.handler.RequestData

org.apache.ws.security.handler.RequestData
This class holds per request data. @author Werner Dittmann (Werner.Dittmann@t-online.de)

     */
    public void
    testGetPasswordCallbackHandlerRef() throws Exception {
        
        final WSSConfig cfg = WSSConfig.getNewInstance();
        final RequestData reqData = new RequestData();
        reqData.setWssConfig(cfg);
        reqData.setUsername("bob");
        reqData.setPwType(WSConstants.PASSWORD_TEXT);
        java.util.Map messageContext = new java.util.TreeMap();
        messageContext.put(
            WSHandlerConstants.PW_CALLBACK_REF, 
            new MyCallbackHandler()
        );
        reqData.setMsgContext(messageContext);
        
        final java.util.Vector actions = new java.util.Vector();
        actions.add(new Integer(WSConstants.UT));
        Document doc = unsignedEnvelope.getAsDocument();
        MyHandler handler = new MyHandler();

View Full Code Here

     */
    public void
    testGetPasswordRequestContextUnit() throws Exception {
        
        final WSSConfig cfg = WSSConfig.getNewInstance();
        final RequestData reqData = new RequestData();
        reqData.setWssConfig(cfg);
        java.util.Map messageContext = new java.util.TreeMap();
        messageContext.put("password", "securityPassword");
        reqData.setMsgContext(messageContext);
        
        WSHandler handler = new MyHandler();
        WSPasswordCallback callback = 
            handler.getPassword(
                "bob",

View Full Code Here

        
        //
        // Now verify it but first call Handler#doReceiverAction
        //
        final WSSConfig cfg = WSSConfig.getNewInstance();
        final RequestData reqData = new RequestData();
        reqData.setWssConfig(cfg);
        reqData.setMsgContext(new java.util.TreeMap());
        java.util.Map msgContext = new java.util.HashMap();
        msgContext.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties");
        reqData.setMsgContext(msgContext);
        
        MyHandler handler = new MyHandler();
        handler.doit(WSConstants.ST_SIGNED, reqData);
        
        secEngine.processSecurityHeader(
            signedDoc, null, this, reqData.getSigCrypto(), reqData.getDecCrypto()
        );
        
        //
        // Negative test
        //
        msgContext.put(WSHandlerConstants.SIG_PROP_FILE, "crypto.properties.na");
        reqData.setMsgContext(msgContext);
        
        handler = new MyHandler();
        try {
            handler.doit(WSConstants.ST_SIGNED, reqData);
            fail("Failure expected on a bad crypto properties file");

View Full Code Here

    testCustomAction() throws Exception {
        
        final WSSConfig cfg = WSSConfig.getNewInstance();
        final int action = 0xDEADF000;
        cfg.setAction(action, "wssec.MyAction");
        final RequestData reqData = new RequestData();
        reqData.setWssConfig(cfg);
        reqData.setMsgContext(new java.util.TreeMap());
        
        final java.util.Vector actions = new java.util.Vector();
        actions.add(new Integer(action));
        final Document doc = unsignedEnvelope.getAsDocument();
        MyHandler handler = new MyHandler();
        reqData.setMsgContext("bread");
        assertEquals(reqData.getMsgContext(), "bread");
        handler.doit(
            action, 
            doc, 
            reqData, 
            actions
        );
        assertEquals(reqData.getMsgContext(), "crumb");
    }

View Full Code Here

    testCustomActionObject() throws Exception {
        
        final WSSConfig cfg = WSSConfig.getNewInstance();
        final int action = 0xDEADF000;
        cfg.setAction(action, new wssec.MyAction());
        final RequestData reqData = new RequestData();
        reqData.setWssConfig(cfg);
        reqData.setMsgContext(new java.util.TreeMap());
        
        final java.util.Vector actions = new java.util.Vector();
        actions.add(new Integer(action));
        final Document doc = unsignedEnvelope.getAsDocument();
        MyHandler handler = new MyHandler();
        reqData.setMsgContext("bread");
        assertEquals(reqData.getMsgContext(), "bread");
        handler.doit(
            action, 
            doc, 
            reqData, 
            actions
        );
        assertEquals(reqData.getMsgContext(), "crumb");
    }

View Full Code Here

    
    public TokenValidatorResponse validateAndProcessToken(Element token,
            FederationContext config) throws ProcessingException {


        try {          
            RequestData requestData = new RequestData();
            WSSConfig wssConfig = WSSConfig.getNewInstance();
            requestData.setWssConfig(wssConfig);
            // not needed as no private key must be read
            // requestData.setCallbackHandler(new
            // PasswordCallbackHandler(password));


            AssertionWrapper assertion = new AssertionWrapper(token);
            if (!assertion.isSigned()) {
                LOG.warn("Assertion is not signed");
                throw new ProcessingException(TYPE.TOKEN_NO_SIGNATURE);
            }
            // Verify the signature
            assertion.verifySignature(requestData,
                    new WSDocInfo(token.getOwnerDocument()));


            // Now verify trust on the signature
            Credential trustCredential = new Credential();
            SAMLKeyInfo samlKeyInfo = assertion.getSignatureKeyInfo();
            trustCredential.setPublicKey(samlKeyInfo.getPublicKey());
            trustCredential.setCertificates(samlKeyInfo.getCerts());
            trustCredential.setAssertion(assertion);


            SamlAssertionValidator trustValidator = new SamlAssertionValidator();
            trustValidator.setFutureTTL(config.getMaximumClockSkew().intValue());
            
            boolean trusted = false;
            String assertionIssuer = assertion.getIssuerString();
            
            List<TrustedIssuer> trustedIssuers = config.getTrustedIssuers();
            for (TrustedIssuer ti : trustedIssuers) {
                List<String> subjectConstraints = Collections.singletonList(ti.getSubject());
                if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.CHAIN_TRUST)) {
                    trustValidator.setSubjectConstraints(subjectConstraints);
                    trustValidator.setSignatureTrustType(TRUST_TYPE.CHAIN_TRUST_CONSTRAINTS);
                } else if (ti.getCertificateValidationMethod().equals(CertificateValidationMethod.PEER_TRUST)) {
                    trustValidator.setSignatureTrustType(TRUST_TYPE.PEER_TRUST);
                } else {
                    throw new IllegalStateException("Unsupported certificate validation method: " 
                                                    + ti.getCertificateValidationMethod());
                }
                try {
                    for (TrustManager tm: config.getCertificateStores()) {
                        try {
                            requestData.setSigCrypto(tm.getCrypto());
                            trustValidator.validate(trustCredential, requestData);
                            trusted = true;
                            break;
                        } catch (Exception ex) {
                            if (LOG.isDebugEnabled()) {

View Full Code Here


        if (doTimeLog) {
            t0 = System.currentTimeMillis();
        }


        RequestData reqData = new RequestData();
        /*
         * The overall try, just to have a finally at the end to perform some
         * housekeeping.
         */
        try {
            reqData.setMsgContext(msg);
            computeAction(msg, reqData);
            Vector actions = new Vector();
            String action = getAction(msg, version);


            int doAction = WSSecurityUtil.decodeAction(action, actions);


            String actor = (String)getOption(WSHandlerConstants.ACTOR);


            CallbackHandler cbHandler = getCallback(reqData, doAction);


            /*
             * Get and check the Signature specific parameters first because
             * they may be used for encryption too.
             */
            doReceiverAction(doAction, reqData);
            
            Vector wsResult = null;
            if (doTimeLog) {
                t1 = System.currentTimeMillis();
            }


            wsResult = engine.processSecurityHeader(
                doc.getSOAPPart(), 
                actor, 
                cbHandler, 
                reqData.getSigCrypto(), 
                reqData.getDecCrypto()
            );


            if (doTimeLog) {
                t2 = System.currentTimeMillis();
            }


            if (wsResult == null) { // no security header found
                if (doAction == WSConstants.NO_SECURITY) {
                    return;
                } else if (doc.getSOAPPart().getEnvelope().getBody().hasFault()) {
                    LOG.warning("Request does not contain required Security header, " 
                                + "but it's a fault.");
                    return;
                } else {
                    LOG.warning("Request does not contain required Security header");
                    throw new WSSecurityException(WSSecurityException.INVALID_SECURITY);
                }
            }
            if (reqData.getWssConfig().isEnableSignatureConfirmation()) {
                checkSignatureConfirmation(reqData, wsResult);
            }


            checkSignatures(msg, reqData, wsResult);
            checkTimestamps(msg, reqData, wsResult);
            checkActions(msg, reqData, wsResult, actions);
            
            doResults(msg, actor, doc, wsResult);


            if (doTimeLog) {
                t3 = System.currentTimeMillis();
                TIME_LOG.fine("Receive request: total= " + (t3 - t0) 
                        + " request preparation= " + (t1 - t0)
                        + " request processing= " + (t2 - t1) 
                        + " header, cert verify, timestamp= " + (t3 - t2) + "\n");
            }


            if (doDebug) {
                LOG.fine("WSS4JInInterceptor: exit handleMessage()");
            }


        } catch (WSSecurityException e) {
            LOG.log(Level.WARNING, "", e);
            SoapFault fault = createSoapFault(version, e);
            throw fault;
        } catch (XMLStreamException e) {
            throw new SoapFault(new Message("STAX_EX", LOG), e, version.getSender());
        } catch (SOAPException e) {
            throw new SoapFault(new Message("SAAJ_EX", LOG), e, version.getSender());
        } finally {
            reqData.clear();
            reqData = null;
        }
    }

View Full Code Here

    
            if (doDebug) {
                LOG.fine("WSS4JOutInterceptor: enter handleMessage()");
            }
    
            RequestData reqData = new RequestData();
    
            reqData.setMsgContext(mc);
            
            /*
             * The overall try, just to have a finally at the end to perform some
             * housekeeping.
             */
            try {
                WSSConfig config = WSSConfig.getNewInstance();
                reqData.setWssConfig(config);
                
                /*
                 * Setup any custom actions first by processing the input properties
                 * and reconfiguring the WSSConfig with the user defined properties.
                 */
                this.configureActions(mc, doDebug, version, config);
                
                /*
                 * Get the action first.
                 */
                Vector actions = new Vector();
                String action = getString(WSHandlerConstants.ACTION, mc);
                if (action == null) {
                    throw new SoapFault(new Message("NO_ACTION", LOG), version
                            .getReceiver());
                }
    
                int doAction = WSSecurityUtil.decodeAction(action, actions, config);
                if (doAction == WSConstants.NO_SECURITY) {
                    return;
                }
    
                /*
                 * For every action we need a username, so get this now. The
                 * username defined in the deployment descriptor takes precedence.
                 */
                reqData.setUsername((String) getOption(WSHandlerConstants.USER));
                if (reqData.getUsername() == null
                        || reqData.getUsername().equals("")) {
                    String username = (String) getProperty(reqData.getMsgContext(),
                            WSHandlerConstants.USER);
                    if (username != null) {
                        reqData.setUsername(username);
                    }
                }
    
                /*
                 * Now we perform some set-up for UsernameToken and Signature
                 * functions. No need to do it for encryption only. Check if
                 * username is available and then get a passowrd.
                 */
                if ((doAction & (WSConstants.SIGN | WSConstants.UT | WSConstants.UT_SIGN)) != 0
                        && (reqData.getUsername() == null
                        || reqData.getUsername().equals(""))) {
                    /*
                     * We need a username - if none throw an SoapFault. For
                     * encryption there is a specific parameter to get a username.
                     */
                    throw new SoapFault(new Message("NO_USERNAME", LOG), version
                            .getReceiver());
                }
                if (doDebug) {
                    LOG.fine("Action: " + doAction);
                    LOG.fine("Actor: " + reqData.getActor());
                }
                /*
                 * Now get the SOAP part from the request message and convert it
                 * into a Document. This forces CXF to serialize the SOAP request
                 * into FORM_STRING. This string is converted into a document.
                 * During the FORM_STRING serialization CXF performs multi-ref of
                 * complex data types (if requested), generates and inserts
                 * references for attachements and so on. The resulting Document
                 * MUST be the complete and final SOAP request as CXF would send it
                 * over the wire. Therefore this must shall be the last (or only)
                 * handler in a chain. Now we can perform our security operations on
                 * this request.
                 */
                SOAPMessage saaj = mc.getContent(SOAPMessage.class);
    
                if (saaj == null) {
                    LOG.warning("SAAJOutHandler must be enabled for WS-Security!");
                    throw new SoapFault(new Message("NO_SAAJ_DOC", LOG), version
                            .getReceiver());
                }
    
                Document doc = saaj.getSOAPPart();
                /**
                 * There is nothing to send...Usually happens when the provider
                 * needs to send a HTTP 202 message (with no content)
                 */
                if (mc == null) {
                    return;
                }
    
                if (doTimeDebug) {
                    t1 = System.currentTimeMillis();
                }
    
                doSenderAction(doAction, doc, reqData, actions, Boolean.TRUE
                        .equals(getProperty(mc, org.apache.cxf.message.Message.REQUESTOR_ROLE)));
    
                if (doTimeDebug) {
                    t2 = System.currentTimeMillis();
                    TIME_LOG.fine("Send request: total= " + (t2 - t0)
                            + " request preparation= " + (t1 - t0)
                            + " request processing= " + (t2 - t1)
                            + "\n");
                }
    
                if (doDebug) {
                    LOG.fine("WSS4JOutInterceptor: exit handleMessage()");
                }
            } catch (WSSecurityException e) {
                throw new SoapFault(new Message("SECURITY_FAILED", LOG), e, version
                        .getSender());
            } finally {
                reqData.clear();
                reqData = null;
            }
        }

View Full Code Here

                && mc.getCurrentMessage().getMessageType() != null) {
            log.debug("WSDoAllSender: enter invoke() with msg type: "
                    + mc.getCurrentMessage().getMessageType());
        }


        RequestData reqData = new RequestData();


        reqData.setMsgContext(mc);
        /*
         * The overall try, just to have a finally at the end to perform some
         * housekeeping.
         */
        try {
            /*
             * Get the action first.
             */
            Vector actions = new Vector();
            String action = getString(WSHandlerConstants.ACTION, mc);
            if (action == null) {
                throw new AxisFault("WSDoAllSender: No action defined");
            }
            int doAction = WSSecurityUtil.decodeAction(action, actions);
            if (doAction == WSConstants.NO_SECURITY) {
                return;
            }


            /*
             * For every action we need a username, so get this now. The
             * username defined in the deployment descriptor takes precedence.
             */
            reqData.setUsername((String) getOption(WSHandlerConstants.USER));
            if (reqData.getUsername() == null || reqData.getUsername().equals("")) {
                String username = (String) getProperty(reqData.getMsgContext(), WSHandlerConstants.USER);
                if (username != null) {
                    reqData.setUsername(username);
                } else {
                    reqData.setUsername(((MessageContext)reqData.getMsgContext()).getUsername());
                    ((MessageContext)reqData.getMsgContext()).setUsername(null);
                }
            }
            /*
             * Now we perform some set-up for UsernameToken and Signature
             * functions. No need to do it for encryption only. Check if
             * username is available and then get a passowrd.
             */
            if (((doAction & (WSConstants.SIGN | WSConstants.UT | WSConstants.UT_SIGN)) != 0)
                && (reqData.getUsername() == null || reqData.getUsername().equals(""))) {
                /*
                 * We need a username - if none throw an AxisFault. For
                 * encryption there is a specific parameter to get a username.
                 */
                 throw new AxisFault("WSDoAllSender: Empty username for specified action");
            }
            if (doDebug) {
                log.debug("Action: " + doAction);
                log.debug("Actor: " + reqData.getActor());
            }
            /*
             * Now get the SOAP part from the request message and convert it
             * into a Document.
             *
             * This forces Axis to serialize the SOAP request into FORM_STRING.
             * This string is converted into a document.
             *
             * During the FORM_STRING serialization Axis performs multi-ref of
             * complex data types (if requested), generates and inserts
             * references for attachements and so on. The resulting Document
             * MUST be the complete and final SOAP request as Axis would send it
             * over the wire. Therefore this must shall be the last (or only)
             * handler in a chain.
             *
             * Now we can perform our security operations on this request.
             */
            Document doc = null;
            Message message = mc.getCurrentMessage();


            /**
             * There is nothing to send...Usually happens when the provider needs to
             * send a HTTP 202 message (with no content)
             */
            if(message == null){
                return;
            }


            /*
            * If the message context property conatins a document then this is
            * a chained handler.
            */
            SOAPPart sPart = (org.apache.axis.SOAPPart) message.getSOAPPart();
            if ((doc = (Document) ((MessageContext)reqData.getMsgContext())
                    .getProperty(WSHandlerConstants.SND_SECURITY)) == null) {
                try {
                    doc = ((org.apache.axis.message.SOAPEnvelope) sPart
                            .getEnvelope()).getAsDocument();
                } catch (Exception e) {
                    throw new AxisFault(
                            "WSDoAllSender: cannot get SOAP envlope from message"
                                    + e);
                }
            }
            if (tlog.isDebugEnabled()) {
                t1 = System.currentTimeMillis();
            }


            doSenderAction(doAction, doc, reqData, actions, !mc.getPastPivot());
            
            if (tlog.isDebugEnabled()) {
                t2 = System.currentTimeMillis();
            }


            /*
             * If required convert the resulting document into a message first.
             * The outputDOM() method performs the necessary c14n call. After
             * that we extract it as a string for further processing.
             *
             * Set the resulting byte array as the new SOAP message.
             *
             * If noSerialization is false, this handler shall be the last (or
             * only) one in a handler chain. If noSerialization is true, just
             * set the processed Document in the transfer property. The next
             * Axis WSS4J handler takes it and performs additional security
             * processing steps.
             *
             */
            if (reqData.isNoSerialization()) {
                ((MessageContext)reqData.getMsgContext()).setProperty(WSHandlerConstants.SND_SECURITY,
                        doc);
            } else {
                ByteArrayOutputStream os = new ByteArrayOutputStream();
                XMLUtils.outputDOM(doc, os, true);
                sPart.setCurrentMessage(os.toByteArray(), SOAPPart.FORM_BYTES);
                if (doDebug) {
                    String osStr = null;
                    try {
                        osStr = os.toString("UTF-8");
                    } catch (UnsupportedEncodingException e) {
                        osStr = os.toString();
                    }
                    log.debug("Send request:");
                    log.debug(osStr);
                }
                ((MessageContext)reqData.getMsgContext()).setProperty(WSHandlerConstants.SND_SECURITY,
                        null);
            }
            if (tlog.isDebugEnabled()) {
                t3 = System.currentTimeMillis();
                tlog.debug("Send request: total= " + (t3 - t0) +
                        " request preparation= " + (t1 - t0) +
                        " request processing= " + (t2 - t1) +
                        " request to Axis= " + (t3 - t2) +
                        "\n");                
            }


            if (doDebug) {
                log.debug("WSDoAllSender: exit invoke()");
            }
        } catch (WSSecurityException e) {
            throw new AxisFault(e.getMessage(), e);
        } finally {
            reqData.clear();
            reqData = null;
        }
    }

View Full Code Here

        long t0 = 0, t1 = 0, t2 = 0, t3 = 0, t4 = 0;
        if (tlog.isDebugEnabled()) {
            t0 = System.currentTimeMillis();
        }        


        RequestData reqData = new RequestData();
        /*
        * The overall try, just to have a finally at the end to perform some
        * housekeeping.
        */
        try {
            reqData.setMsgContext(msgContext);


            Vector actions = new Vector();
            String action = null;
            if ((action = (String) getOption(WSHandlerConstants.ACTION)) == null) {
                action = (String) msgContext
                        .getProperty(WSHandlerConstants.ACTION);
            }
            if (action == null) {
                throw new AxisFault("WSDoAllReceiver: No action defined");
            }
            int doAction = WSSecurityUtil.decodeAction(action, actions);


            String actor = (String) getOption(WSHandlerConstants.ACTOR);


            Message sm = msgContext.getCurrentMessage();
            Document doc = null;


            /**
             * We did not receive anything...Usually happens when we get a
             * HTTP 202 message (with no content)
             */
            if(sm == null){
                return;
            }


            try {
                doc = sm.getSOAPEnvelope().getAsDocument();
                if (doDebug) {
                    log.debug("Received SOAP request: ");
                    log.debug(org.apache.axis.utils.XMLUtils
                            .PrettyDocumentToString(doc));
                }
            } catch (Exception ex) {
                if (doDebug) {
                    log.debug(ex.getMessage(), ex);
                }
                throw new AxisFault(
                        "WSDoAllReceiver: cannot convert into document", ex);
            }
            /*
            * Check if it's a response and if its a fault. Don't process
            * faults.
            */
            String msgType = sm.getMessageType();
            if (msgType != null && msgType.equals(Message.RESPONSE)) {
                SOAPConstants soapConstants = WSSecurityUtil
                        .getSOAPConstants(doc.getDocumentElement());
                if (WSSecurityUtil.findElement(doc.getDocumentElement(),
                        "Fault", soapConstants.getEnvelopeURI()) != null) {
                    return;
                }
            }


            /*
            * To check a UsernameToken or to decrypt an encrypted message we
            * need a password.
            */
            CallbackHandler cbHandler = null;
            if ((doAction & (WSConstants.ENCR | WSConstants.UT)) != 0) {
                cbHandler = getPasswordCB(reqData);
            }


            /*
            * Get and check the Signature specific parameters first because
            * they may be used for encryption too.
            */
            doReceiverAction(doAction, reqData);
            
            Vector wsResult = null;
            if (tlog.isDebugEnabled()) {
                t1 = System.currentTimeMillis();
            }        


            try {
                wsResult = secEngine.processSecurityHeader(doc, actor,
                        cbHandler, reqData.getSigCrypto(), reqData.getDecCrypto());
            } catch (WSSecurityException ex) {
                if (doDebug) {
                    log.debug(ex.getMessage(), ex);
                }
                throw new AxisFault(
                        "WSDoAllReceiver: security processing failed", ex);
            }


            if (tlog.isDebugEnabled()) {
                t2 = System.currentTimeMillis();
            }        


            if (wsResult == null) { // no security header found
                if (doAction == WSConstants.NO_SECURITY) {
                    return;
                } else {
                    throw new AxisFault(
                            "WSDoAllReceiver: Request does not contain required Security header");
                }
            }


            if (reqData.getWssConfig().isEnableSignatureConfirmation() && msgContext.getPastPivot()) {
                checkSignatureConfirmation(reqData, wsResult);
            }
            /*
            * save the processed-header flags
            */
            ArrayList processedHeaders = new ArrayList();
            Iterator iterator = sm.getSOAPEnvelope().getHeaders().iterator();
            while (iterator.hasNext()) {
                org.apache.axis.message.SOAPHeaderElement tempHeader = (org.apache.axis.message.SOAPHeaderElement) iterator
                        .next();
                if (tempHeader.isProcessed()) {
                    processedHeaders.add(tempHeader.getQName());
                }
            }


            /*
            * If we had some security processing, get the original SOAP part of
            * Axis' message and replace it with new SOAP part. This new part
            * may contain decrypted elements.
            */
            SOAPPart sPart = (org.apache.axis.SOAPPart) sm.getSOAPPart();


            ByteArrayOutputStream os = new ByteArrayOutputStream();
            XMLUtils.outputDOM(doc, os, true);
            sPart.setCurrentMessage(os.toByteArray(), SOAPPart.FORM_BYTES);
            if (doDebug) {
                log.debug("Processed received SOAP request");
                log.debug(org.apache.axis.utils.XMLUtils
                        .PrettyDocumentToString(doc));
            }
            if (tlog.isDebugEnabled()) {
                t3 = System.currentTimeMillis();
            }        


            /*
            * set the original processed-header flags
            */
            iterator = processedHeaders.iterator();
            while (iterator.hasNext()) {
                QName qname = (QName) iterator.next();
                Enumeration headersByName = sm.getSOAPEnvelope().getHeadersByName(
                        qname.getNamespaceURI(), qname.getLocalPart());
                while (headersByName.hasMoreElements()) {
                    org.apache.axis.message.SOAPHeaderElement tempHeader =
                        (org.apache.axis.message.SOAPHeaderElement) headersByName.nextElement();
                    tempHeader.setProcessed(true);
                }
            }


            /*
            * After setting the new current message, probably modified because
            * of decryption, we need to locate the security header. That is, we
            * force Axis (with getSOAPEnvelope()) to parse the string, build
            * the new header. Then we examine, look up the security header and
            * set the header as processed.
            *
            * Please note: find all header elements that contain the same actor
            * that was given to processSecurityHeader(). Then check if there is
            * a security header with this actor.
            */


            SOAPHeader sHeader = null;
            try {
                sHeader = sm.getSOAPEnvelope().getHeader();
            } catch (Exception ex) {
                if (doDebug) {
                    log.debug(ex.getMessage(), ex);
                }
                throw new AxisFault(
                        "WSDoAllReceiver: cannot get SOAP header after security processing",
                        ex);
            }


            Iterator headers = sHeader.examineHeaderElements(actor);


            SOAPHeaderElement headerElement = null;
            while (headers.hasNext()) {
                org.apache.axis.message.SOAPHeaderElement hE = (org.apache.axis.message.SOAPHeaderElement) headers.next();
                if (hE.getLocalName().equals(WSConstants.WSSE_LN)
                        && hE.getNamespaceURI().equals(WSConstants.WSSE_NS)) {
                    headerElement = hE;
                    break;
                }
            }
            ((org.apache.axis.message.SOAPHeaderElement) headerElement)
                    .setProcessed(true);


            /*
            * Now we can check the certificate used to sign the message. In the
            * following implementation the certificate is only trusted if
            * either it itself or the certificate of the issuer is installed in
            * the keystore.
            *
            * Note: the method verifyTrust(X509Certificate) allows custom
            * implementations with other validation algorithms for subclasses.
            */


            // Extract the signature action result from the action vector
            WSSecurityEngineResult actionResult = WSSecurityUtil
                    .fetchActionResult(wsResult, WSConstants.SIGN);


            if (actionResult != null) {
                X509Certificate returnCert = actionResult.getCertificate();


                if (returnCert != null && !verifyTrust(returnCert, reqData)) {
                    throw new AxisFault(
                            "WSDoAllReceiver: The certificate used for the signature is not trusted");
                }
            }


            /*
            * Perform further checks on the timestamp that was transmitted in
            * the header. In the following implementation the timestamp is
            * valid if it was created after (now-ttl), where ttl is set on
            * server side, not by the client.
            *
            * Note: the method verifyTimestamp(Timestamp) allows custom
            * implementations with other validation algorithms for subclasses.
            */


            // Extract the timestamp action result from the action vector
            actionResult = WSSecurityUtil.fetchActionResult(wsResult,
                    WSConstants.TS);


            if (actionResult != null) {
                Timestamp timestamp = actionResult.getTimestamp();


                if (timestamp != null 
                    && !verifyTimestamp(timestamp, decodeTimeToLive(reqData))) {
                    throw new AxisFault("WSDoAllReceiver: The timestamp could not be validated");
                }
            }


            /*
            * now check the security actions: do they match, in right order?
            */
            if (!checkReceiverResults(wsResult, actions)) {
                throw new AxisFault(
                    "WSDoAllReceiver: security processing failed (actions mismatch)");                
                
            }
            /*
            * All ok up to this point. Now construct and setup the security
            * result structure. The service may fetch this and check it.
            */
            Vector results = null;
            if ((results = (Vector) msgContext
                    .getProperty(WSHandlerConstants.RECV_RESULTS)) == null) {
                results = new Vector();
                msgContext
                        .setProperty(WSHandlerConstants.RECV_RESULTS, results);
            }
            WSHandlerResult rResult = new WSHandlerResult(actor, wsResult);
            results.add(0, rResult);
            if (tlog.isDebugEnabled()) {
                t4 = System.currentTimeMillis();
                tlog.debug("Receive request: total= " + (t4 - t0) +
                        " request preparation= " + (t1 - t0) +
                        " request processing= " + (t2 - t1) +
                        " request to Axis= " + (t3 - t2) + 
                        " header, cert verify, timestamp= " + (t4 - t3) +
                        "\n");                                
            }        


            if (doDebug) {
                log.debug("WSDoAllReceiver: exit invoke()");
            }
        } catch (WSSecurityException e) {
            if (doDebug) {
                log.debug(e.getMessage(), e);
            }
            throw new AxisFault(e.getMessage(), e);
        } finally {
            reqData.clear();
            reqData = null;
        }
    }

View Full Code Here

0 1 2 3 4 5 6 7 8 9

TOP

Related Classes of org.apache.ws.security.handler.RequestData

org.apache.axis2.security.WSDoAllReceiver

org.apache.axis2.security.WSDoAllSender

org.apache.cxf.fediz.core.FederationProcessorImpl

org.apache.cxf.fediz.core.saml.SAMLTokenValidator

org.apache.cxf.rs.security.common.TrustValidator

org.apache.cxf.rs.security.oauth2.grants.saml.Saml2BearerGrantHandler

org.apache.cxf.rs.security.saml.AbstractSamlInHandler

org.apache.cxf.rs.security.saml.sso.SAMLProtocolResponseValidator

org.apache.cxf.sts.operation.IssueSamlUnitTest

org.apache.cxf.sts.request.RequestParser

All source code are property of their respective owners. Java is a trademark of Sun Microsystems, Inc and owned by ORACLE Inc. Contact coftware#gmail.com.